@fatsug Hello! The last_validated_bundle  differs from the active_bundlewhich identifies the bundle that was most recently applied and is currently active across the peer nodes. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Updatepeerconfigurations#Use_the_CLI_to_validate_the_bundle_and_check_restart         if this Helps,  Please Upvote. ... View more

@kwangwon Splunkcloud  trial version is a standalone system and uses self-signed certs.  You can try using curl -k "https://ilove.splunkcloud.com:8088/services/collector"         If this reply helps, Please Upvote.         ... View more

@SteveBowser  Checkout inputs.conf $decideOnStartup server.conf  hostnameOption = [ fullyqualifiedname | clustername | shortname ] If this reply helps, Please Upvote. ... View more

Hi @Amoreuser, Based on what you described, there seems to be an config issue in your alert setup. If your threshold is set to 90 but alerts are triggering at 89.1, you may want to check a few things: First, verify that your alert condition is exactly set to "Above" and not "Above or Equal". Second, take a look at your search query to make sure there's no unintended data processing affecting the values. If you're working with decimal values, you might want to add a round() function in your search to ensure more precise threshold control. Could you share your search query so I can help identify the issue? If this Helps, Please Upvote. ... View more

Yes, it's recommended as a best practice to implement all Magic 8 configs because they establish consistency and reliability in data onboarding. While most TAs start with Magic 6, adding the EVENT_BREAKER configs gives you better control over event distribution and parsing. Think of Magic 6 as the minimum standard, and Magic 8 as the complete package for optimal data handling. The TAs can be updated with the additional configs when needed based on your specific deployment, but having all 8 from the start is generally ideal as it prevents potential data parsing issues down the line. If this Helps, Please Upvote. ... View more

@christophecris Please open a support case to get this checked. If this Helps, Please Upvote. ... View more

Hey @NanSplk01 try  ... | eval websphere_logEventType=case(websphere_logEventType=I, "INFO", websphere_logEventType=E, "ERROR", websphere_logEventType=W, "WARNING", websphere_logEventType=D, "DEBUG", 1=1, "Not Known") If this Helps, Please Upvote. ... View more

@StanD3secI don't think there is one for enterprise yet.  ( Splunk Cloud ACS API has ) But you can use this for splunk enterprise SDKs here. https://dev.splunk.com/enterprise/downloads/ https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTREF/RESTlist If this Helps, Please Upvote. ... View more

@christophecris This looks like python core functionality is broken? any details about your instance? what version? This might be a bug or incompatible OS package. Did this happen  after a change? or an upgrade? If this Helps, Please Upvote. ... View more

@majilan1 the rex timeout typically  happens with complex events/data, or lot of wild cards in your regex. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Limitsconf#.5Brex.5D Try using that with  max_match option. | rex max_match=0 If this Helps, Please Upvote ... View more

@Karthikeya Index peers are simply indexers that work together in a Splunk cluster environment. They are responsible for receiving, processing, and storing data while maintaining copies across multiple indexers for redundancy and high availability. When a Cluster Master pushes configuration changes through an index cluster bundle, all index peers receive the same settings to ensure consistent operation across the cluster. Refer: https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Basicclusterarchitecture https://docs.splunk.com/Documentation/Splunk/9.3.2/Indexer/Howclusteredindexingworks If this Helps, Please Upvote and Mark as solved.   ... View more

@uagraw01 that is by splunk's default user role and recommended as best practices. That works with rest_properties_get but if you remove that, you will have different issues, I do not recommend that. You have different ones which are not needed there like Data inputs, Tokens Server Settings these should be handled by admin. Typical Splunk user role native capabilities. If this helps, please Upvote.  ... View more

@uagraw01 Please refer this https://docs.splunk.com/Documentation/Splunk/9.3.2/Admin/Authorizeconf Based on what I see the role might have inherited "admin_all_objects" from a different role. & also check “edit_own_objects” and “list_all_objects” capabilities [capability::admin_all_objects] * Lets a user access all objects in the system, such as user objects and knowledge objects. * Lets a user bypass any Access Control List (ACL) restrictions, similar to the way root access in a *nix environment does. * the Splunk platform checks this capability when accessing manager pages and objects.   Use this    ./splunk btool authorize list role_Splunk_engineer --debug   If this helps, please upvote. ... View more

Data Flow: Data goes DIRECTLY from UF to indexers on port 9997 (not to cluster manager) Cluster Manager only handles configuration distribution Configuration Management: Props and transforms configs are deployed via cluster manager These configs are pushed to index peers via index cluster bundle Processing Location: All parsing happens on the indexers (index peers) Each indexer applies the deployed configurations independently For Deep Understanding: Refer: https://community.splunk.com/t5/Getting-Data-In/Diagrams-of-how-indexing-works-in-the-Splunk-platform-the-Masa/m-p/590774 Review props.conf documentation: docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Propsconf  docs.splunk.com/Documentation/ITSI/4.17.0/Configure/transforms.conf Since there are many pipeline components, I encourage you to read through these resources for a complete understanding. Simple Data Flow here. If this Helps, Please Upvote. ... View more

If you are asking for splunkcloud, you can download  private connectivity universal forwarder app.  https://docs.splunk.com/Documentation/SplunkCloud/9.2.2403/Security/Privateconnectivityenable https://docs.splunk.com/File:PC4.png If this helps, Please Upvote. ... View more

To troubleshoot your sources failing to lastchanceindex, I recommend checking if your REGEX pattern is too strict. If this helps, Please Upvote. ... View more

 HF do NOT need an enterprise license if you are just ingesting/parsing.  On a HF, if you are locally indexing "you need an enterprise license"        If this reply helps, Please UpVote ... View more

The biggest change on the Universal forwarder from 9.0. > 9.3 was least-privileged user. https://docs.splunk.com/Documentation/Forwarder/9.3.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller#Manage_SePrivilegeUser_permissions   Do you see any issues on the permissions? I recommend working with support if this is happening frequently on all your windows hosts. If this reply helps, Please UpVote. ... View more

@jaibalaraman  Hello If I understand correctly you mean like “reset token button" ? I don't think that is currently supported in studio. Might be available in the future versions.   Try something like this might work: 1. Add a Button Input 2. Configure Action as "Go to URL" 3. Set URL to the dashboard's URL 4. Default tokens will be preserved as defined in Initialize Tokens section       If this reply helps, Please upvote. ... View more

@best-west basically we need to package an new app  that has props.conf for the SEDCMD, referencing your sourcetype for the data needing to transform and deploy from UI from uploaded apps.  I think the issue might be because of 000-self-service-app . You can also ask splunk support to make this update for you.  Is this Classic or Victoria stack? If you want to create props/transforms as mentioned try using ingest actions and see as an example. https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Using_ingest_actions_to_filter_AWS_CloudTrail_logs If my reply helps, please upvote. ... View more

The key insight is that KV_MODE=json is applied at search-time on the Search Head, while SEDCMDs are part of the parsing pipeline (Typing / Regexreplacement) that must occur during indexing. In Splunk Cloud, that should've done it we need make sure your sourcetype configuration with these SEDCMDs is properly deployed to the indexing tier, not just the search head (could use SEDCMDs on sh), since that's where the actual parsing/transformation of the data needs to happen. Try to deploy your SEDCMD config using self service app and see if that makes difference.  Also if you don't want to write props and transforms. checkout: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/DataIngest#Create_a_ruleset_with_the_Ingest_Actions_page https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/IngestProcessor/AboutIngestProcessorSolution If my reply helps, please upvote. ... View more

Is it sending too much data including its own logs?  I think endpoint server is busy, Did you try sending a small batch of events to test on one of those linux servers? Try sending data from just one UF to isolate if it's a load issue Check if there are any SSL/TLS version mismatches between 9.2.3 and 9.3.x Review this settings if you haven't:  Check outputs.conf Verify inputs.conf https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Outputsconf#HTTP_Output_stanzas If this Helps, Please UpVote.   ... View more

Hello @shai have you also tried using cron job? Yes we need to define modinput on the inputs.conf.spec to get that populated on UI. Can you also try with local/inputs.conf?  What version of splunk are  you running? I don't recall this must be an old known issue for windows. I recommend reaching out to support if your are stuck. If this Helps, Please Upvote. ... View more

How about something like this to start with? index=_internal sourcetype=splunkd log_level=WARN host=sh* component=DispatchManager "QUEUED" | stats count by host   ... View more

  Hello @Strangertinz  Have you checked this?  https://community.splunk.com/t5/Getting-Data-In/Why-is-Windows-event-log-message-data-being-truncated-and-only/td-p/231310 Do you have any  other issue with your sourcetype? If this is not working, please work with Splunk support, they might ask you generate a diag with DEBUG options to look out for the TRUNCATE message.   If this Helps, Please UpVote. ... View more